National firm's credit card arm breached

Customer, merchant data not affected, Heartland says.

Customer, merchant data not affected, Heartland says.

January 23, 2009

PRINCETON, N.J. (AP) -- Payments processor Heartland Payment Systems Inc. said this week its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached last year, but asserted that merchant and customer data were not affected. Robert H.B. Baldwin Jr., president and CFO, said the company found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as Visa and MasterCard. Heartland, based in Princeton, N.J., said the breach did not involve merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers. And the company said none of its check management or Canadian or payroll systems or the recently acquired Network Services and Chockstone processing platforms were affected. Baldwin said in an interview that the only information breached were card numbers and cardholders' names, or one or the other. Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said. Heartland is increasing security in its systems and will establish a program to flag "network anomalies" as they occur and enable law enforcement to arrest those suspected of interfering with computer systems. Heartland also has established a Web site, www.2008breach.com, to provide information about the incident and advised cardholders to examine their monthly statements and report suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.